How You Fail to Oversee Due Diligence

On an abstract level, compliance professionals have to admire the money-laundering scandal still unfolding at Danske Bank. Rarely does one company offer so many compliance lessons all at once.

The scandal itself is huge: more than $230 billion in suspicious transactions funneled through Danske Bank’s branch in Estonia from 2007 to 2015. Bank executives dithered for years trying to decide how to handle the misconduct until all the dirty laundry spilled into public view in 2017. An internal investigation resulted in a report published two months ago that makes for painful reading about how compliance failures happen.

Today let’s focus on due diligence or the lack thereof at Danske Bank for years. How could something so fundamental to effective compliance be ineffective for so long?

It’s easy to fault front-line employees for failing to execute due diligence procedures adequately — and to be clear, that was the case at Danske Bank. But that only tells us how an AML failure happens.

Chief compliance officers specifically want to know how an AML failure can happen for so long. That’s a different question.

Where Due Diligence Failures Happen

Employees in the operating units are the so-called First Line of Defense, and one should always assume compliance failures will happen there sooner or later. Occasional failures are even tolerable, so long as risk management functions in the Second Line of Defense (compliance, legal, IT, audit, HR, and others) can detect and investigate those failures promptly.

So when we ask, “How could those compliance failures continue for so long?” we’re really asking how those risk management functions in the Second Line of Defense failed to detect those poor practices in the First Line and then respond accordingly.

It’s a crucial distinction because, frankly, your due diligence procedures can be the best or worst in the world. Neither case will make much difference if employees disregard them, and you in your CCO perch don’t know they’ve disregarded them.

In Danske Bank’s case, that failure to oversee due diligence was rooted in poor design of information systems. The Estonia branch maintained its own IT platform, separate from the rest of Danske Bank’s IT systems. Even the documentation was written in Estonian or Russian, rather than Danish or English.

So while Estonia branch employees were violating due diligence practices, senior executives in the corporate office didn’t understand the depth of that problem, because the information wasn’t available to them. As Danske Bank’s report said: “For a long time, it was believed within the group that the high risk represented by non-resident customers in the Estonian branch was mitigated by appropriate AML procedures.”

The Design of Proper Oversight

Organizations can avoid a trap like that by thinking through the design of their processes to oversee compliance. While the details of executing due diligence will always be important — which databases to check, what information to collect from new customers, which high-risk thresholds not to cross — chief compliance officers still need another set of processes on top of that, to ensure that you understand what’s going on.

For example, then, the configuration of IT systems and applications becomes a crucial issue for compliance officers. CCOs need certainty that they are viewing all the relevant data on due diligence, rather than leaving segments of the enterprise to operate on their own.

And yet again, independence of the compliance function becomes important too, because the CCO needs an ability to act on the information he or she receives. That can entail difficult conversations about IT shortcomings, firing errant personnel, or other painful remediation steps. CCOs need the authority to push those difficult conversations forward.

Those are the true risks that can cause a massive, long-running compliance failure, whether that failure is money laundering, bribery, accounting fraud, or many other types of misconduct. They exist so long because risk management executives either don’t see or can’t act, on the problem at hand.

So compliance officers need to think long and hard about the design of their compliance management systems, in addition to whatever due diligence procedures you implement at the transaction level. Otherwise, you risk disaster.

Building a comprehensive structure for your compliance program is essential to effectively and efficiently mitigate risk. And while risks vary from one company to another based on industry, location, and partners – thereby disqualifying any one-size-fits-all compliance program – the underlying structure of a program can, to a reasonable extent, be broken down into a set of components.